Botnet Swipes Two Million Passwords, Most Of Them Were Really Bad

There's a lot we can learn from the recent revelation that a large instance of the Pony botnet gathered some two million passwords: First, use software to guard against key loggers and second, people are terrible at passwords.

This site may earn affiliate commissions from the links on this page. Terms of use.

Earlier this week, Trustwave released their study on a massive botnet, one of many managed using the Pony botnet controller. The researchers gained control of the botnet, taking the place of its Command and Control server. Once in control, they discovered that the botnet had managed to steal about two million passwords from infected computers. They also discovered something that most of us already know: that people are terrible at passwords.

Get To The Passwords The two million compromised accounts were spread between 1.58 million website credentials, 320,000 email logins, 41,000 FTP accounts, 3,000 Remote Desktop credentials, and 3,000 Secure Shell account credentials is a significant haul. The concern, of course, is how many of the affected users had selected the same password for other sites.

Researchers found 318,121 Facebook credentials which accounted for a whopping 57 percent of the total. Yahoo was next with about 60,000 accounts, followed by 21,708 Twitter accounts, 8,490 LinkedIn passwords, and 7,978 accounts for the payroll provider ADP. This last one is a bit unusual, but also quite damaging as it gives attackers access to victims' personal information.

What scared me the most was the 16,095 Google.com credentials and 54,437 Google Account credentials. These could allow attackers to access Gmail, and from there reset other passwords using the "forgot my password" feature on websites. It could also give attackers access to private files in Google Drive, or payment information in Google Wallet.

All this doesn't mean there was a massive attack against these sites. It's more likely that criminals managed to harvest these addresses via multiple means, such as phishing and keyloggers, and had stored them on these servers. They could be selling them to other buyers or saving them for future use.

Terrible Passwords, Again Trustwave broke down the passwords into categories: six percent of them were "terrible," while 28 percent of them were "bad." A combined 22 percent were either "good" or "excellent" and 44 percent were "medium." Among the worst were: 123456, 123456789, 1234 and, "password."

Most of the passwords did not mix letters and numbers. The majority of the passwords were either all letters (same case) or all numbers, followed by passwords that had two types (mix of upper and lower case letters, or lower case letters with numbers, for example), Trustwave said.

One good finding was that almost half—46 percent—of the passwords had long passwords, of 10 characters or more. The majority of the passwords were within the six-to-nine-character range, said Trustwave.

High-Profile Targets As far as Lucas Zaichkowsky, an enterprise data architect at AccessData, was concerned, the bigger worry is that the criminals will look for accounts that belong to people "at high value target organizations." If it turns out these people used the same passwords on these sites as well as for work-related resources, then attackers can break in to the corporate network via VPN or email via a Web-based client, Zaichkowksy noted.

"They can sell the valuable accounts to others on the black market who pay big money for valid credentials that get them into profitable target organizations," Zaichkowksy said.

People do use their work email addresses for personal activities, such as signing up for accounts on Facebook. Cesar Cerrudo, CTO of IOActive, found various military personnel, including generals and lieutenant generals ("future generals," Cerrudo called them) had used their .mil email addresses to create accounts on travel site Orbitz, GPS company garmin.com, Facebook, Twitter, and Skype, to name a few. This makes the prospect of password reuse even more problematic, as these individuals are very valuable as targets and have access to a lot of sensitive information.

Qualys Director of Engineering Mike Shema, however, said that he sees hope in the future. "Looking toward 2014, two-factor authentication will continue to gain momentum throughout enterprise and consumer technology, and many apps will begin to adopt two-factor as well. We will also see the rise of smart crypto-engineering for multi-authentication passwords." Two-factor authentication requires a second authentication step, like a special code sent via text message.

Staying Safe The general consensus is that these passwords were harvested from user machines, and not stealing login information from sites—which is a pleasant change of pace. Keyloggers are a likely suspect, and particularly dangerous. These malicious applications can not only capture keystrokes, but can capture screenshots, the contents of your clipboard, the programs you launch, the sites you visit, and even sift through IM conversations and email threads. Fortunately, most anti-virus software should have you covered. We recommend Editors' Choice award winners Webroot SecureAnywhere AntiVirus (2014) or Bitdefender Antivirus Plus (2014).

Note that some AV programs don't block "greyware" or "potentially unwanted programs by default. Keyloggers sometimes fall into this category, so be sure to enable this feature.

Phishing and other tactics to trick victims into giving out password info are harder to block. Fortunately, we have lots of tips on how to spot phishing attacks and how to avoid social engineering attacks. All it takes is a little extra thought, and you can keep from becoming a statistic.

Most importantly is for people to use a password manager. These applications create and store unique, complex passwords for every site or service you use. They'll also automatically log you in, making it much harder for keyloggers to snatch your information. Be sure to try out Dashlane 2.0 or LastPass 3.0, both which are our Editors' Choice award winners for password management.

Max Eddy is a Software Analyst, taking a critical eye to Android apps and security services. He's also PCMag's foremost authority on weather stations and digital scrapbooking software. When not polishing his tinfoil hat or plumbing the depths of the Dark Web, he can be found working to discern the 100 Best Android Apps.
Prior to PCMag, Max wrote for the International Digital Times, The International Science Times, and The Mary Sue. He has also been known to write for Geek.com. You can follow him on...
More »

Fahmida Y. Rashid is a senior analyst for business at PCMag.com. She focuses on ways businesses can use technology to work efficiently and easily. She is paranoid about security and privacy, and considers security implications when evaluating business technology. She has written for eWEEK, Dark Reading, and SecurityWeek covering security, core Internet infrastructure, and open source.
Follow me on Twitter: zdfyrashid
More »